Facebook isn’t synonymous with privacy by any stretch of the imagination. But for some reason, they decided to add a feature that allows for military grade encryption of email notifications. Facebook accepts any OpenPGP implementation to use the feature. PGP was created by Phil Zimmerman. You can learn more about the creation in my article here.
In short, PGP is a symmetric-key encryption system. The software generates a unique public and private key based on a secret password inputted and some customization on the level of cryptographic strength you prefer during generation.
Once the keys are generated, you can distributed your public key to other individuals. They can encrypt a secret text, file, or email with your public key. Once it is encrypted the only person that decrypt it is you. Once you receive the encrypted file, you can use your secret passphrase and private key to decrypt it for viewing. This is vice versa for any individual you wish to communicate with. Encrypted a file with their public key so it cannot be viewed by taps the internet, network, or possible machine. It is completely safe until it is opened by the receiver.
A feature like this shouldn’t go to waste so its time to implement it. We will need to install some OpenPGP software, create our keys, upload them to Facebook and confirm that everything worked out correctly.
Creating the PGP public and secret key
We need to install GNU Privacy Guard, which is a free and complete implementation of OpenPGP. You can try other routes but GPG is considered an industry standard so it’s better to stick to what most people trust for proper encryption.
Install with your operating system’s package manager.
Windows user’s not familiar with Chocolately, install procedure here.
# windows with Chocolately choco install gnupg # Linux sudo <apt|apt-get|dnf|pacman> install gnupg2 # OSx with Homebrew homebrew gnupg
With GNU Privacy Guard installed, time to create your first PGP public and corresponding secret key to start receiving encrypted notifications from Facebook.
To generate your keys, fire off the following GPG command.
When you follow the key generation dialog, make sure you:
- Use RSA\RSA for your encryption algorithm.
- Make sure your RSA keys are 4096 bits in length
- Make sure you have a ~52 character password for your secret key.
Once you have generated your keys, export the public key to upload to Facebook.
gpg --armor --output public-key.gpg --export <email>
Open up the file and it should look something like this.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF7yxpUBEACgTff6BmN0Qvv+JF64YpM+l/G5mozkoGAPJ4JviNKGvmbMfeuH /LDoKGtDDP/keNN/xqf2f7nAsBGG70vnKv53Kv9F87Syg2zcG8ZNyyoAUxPlsAtd zuLFM7lsSrUjOpyyQ5eSxxCZ+tRrQKvcNUKktB7FvOyxTUDYzEnZi68iJ7EBg6xu yB+6/I3Nwt7BH15pw+NgFc4sodseiPzX0526ipYXmdOq13WehLHroI68fowNQxcV tsLcU8q1tS3VtowghQiArH3aCwXO8VjPovYrktNSddmYsFxbO9/j0Z7FAV8KygMb E697DB+4ME41QwvthrCleIC7QO3Fye3+8fHd0ZNg+rDJBeJjYkPU2aqEa2QZY0sM ILahzJuh86ZQa3Bto2YUdDEtBjOB2GMBAfqdRX/j6Bikj7PBCczznRWIN3SFpW1Y 8yVHfrncXCp3AnkRuILhKu+3NSw/YjjTz0zxb/ORGdgEPM/2M3hrCneZv/lOMKWB Hv/jiLbVTJACP+y0caNNFunyTyJ3fP1oWutEOYbQRM6V5vxF4zQSXUP4yz0TFR4A mBF7SBppEUTUjBge/Q8jt2naFoOwa27/kVTmgOgfqmwNsRFGe7oObZFBH5pbWX6Z oRyD2fzEplp4F0SpfvABlV61zrLmlrUQUiLEX+gFEVI5ULRqE/16goitXwARAQAB tClNaWNoYWVsIFJpbmRlcmxlIDxtaWNoYWVsQHNvZmRpZ2l0YWwubmV0PokCVAQT AQgAPhYhBEKU29dFdQC3Id1ckSQ5A1+nydhMBQJe8saVAhsDBQkB4TOABQsJCAcC BhUKCQgLAgQWAgMBAh4BAheAAAoJECQ5A1+nydhMLpsP/307AAF5c6Vwi5vT8Nm9 W0bcJQW6V7HV5AoQE0Uyje3Zn6UYX5vNCBZXg2KMKmyfi6g8McUwskwxDfkaB19A XR7BHxPgICdQxgaNekx/ZU0RuWgHEtmtP9RU39PljsFbst7+zkAbY3PBZk0knWM7 hIiGDuq0p0ETVw41CUY7J3usypRAnbJYcpC8b1S/26FS1QR8hRneo7z0AuLOdFd+ uNV2gvt8/GB8MNY6kzdBq5s7yNWB0ejeK5/IJVFXiHoGQiarfBo6UeB23tKqkDnR pKuNDITe9ARS1xozUq3NvLLFG74v2mbNRFFjw5i/L0+tQRAdvGzpwtX6hf89gS7Q wE7kGtl2XjJ9Ovx5u5fc2txzRztBvVqHPYVs9C9S2b25WTAdHzeS99lqObwHOfLc VYvX6AMjmMre5L3x4a8yrP2FJ2gLGGawwsNJuVnLN2hYsWNP8NMdJsGoMNCn7aCr qypJ8N92piK5ThdYMfSdPZLDoETNVV47n+/V/+LgZTWu1ONaQcGeiYd/axiKn02Z gnzmK5KYH/hX+Tvru4VqOgrRyCEvG+eWQGEBQIYuaBT2SafC4e8roFpdCiQPl0u8 uQQuu7MVn1nrTDT8G7mFu4wvIBpP/gjCat1GA7wAWO8CBGCUHmcFb17IWaW74Efe pg8HNIhyb6+ipTxadoPRjcj7uQINBF7yxpUBEADDD7ICvN30ItmEA73CJiCg2TqG MibD702kpdGQf7mMzGzEPR7PSxUJYEGnkVeXcX8/paicwxmc3hIYMXAFcX5+az3h CZ10lqRJvskI8aEFpKcUkN1jm/t108n3+Ky3hqmI2I061jBGMLH3ZdwgSrGlRym5 NzbzTGvqTsAfDp8jHH3lz7mpU+OjFrArbD5xd9aPaOzMbdcWk0v0Ux907stZB4rT f2TDWM86XaDcqPb0iC+MUtm8GN03GJcvRJwb+2b7JAufzp60IAl8QjjkS15i2oti B1OWQnf+Mg0HzNMSeL+6dm7p7zxkb1CVNnaDuc4ygc8ZnEqmlP6JUev/mXHeylj3 sNioGma+nFQEyYAe6Yu4qKZPuU8lFjvJt1OX/HB5skax1O3Fn4eXKEkxaaZ4zlPa j0g1XuwKBRVJFGE9pgCBjkcmrEbjyB/ZRKsX6piMbTb7O4qpteVaUzK/Zm8MSGNr /TrdmQLdkiE/kDlZKqCuIgrXJsqcCl6by2KegG6rCuuusJK3NTcTQYH1OtenlLPi UczypBs4QagrThS/+4z34qyKtEFVfWX/2SQ673tESaIL55bIV82HLiPwpwk2KKqW kg/2CCLfIp9f3sJ9AqtW4s1fe1KiDco4crGr7tK5MrfR9aJhEeCa2LcSp+MZ8qOG gvEk3qXnKfDtyXuEtwARAQABiQI8BBgBCAAmFiEEQpTb10V1ALch3VyRJDkDX6fJ 2EwFAl7yxpUCGwwFCQHhM4AACgkQJDkDX6fJ2EycthAAi/CTSz6VNnKMo/3XMZPO IC6jPoX4ldQYmP6/3uyOyfZxrBjx3OXxjKzZm3FtHtlY+DwSaUYdXtH/v7jxRPDt 7sgEAXakg6TvCOVtfVGCtdTRmuHJnBQKZcFhRKdRLwoSz+Q+HN6lm+lmFwstWzl0 jaCUu0qwg71h7kWjYvasYcCxizr3oCdUcDsvJdsMWPesO4UGM/yohehV3P7ir2mD dU4zI2kX0d3YIeEbRIBEvJY5XDPFgsfhPNtV2q0SAdwtx2Itm+nnLyjx5ODxUgem YlJmeicbMEmO6ULDqr5GlEpaJgjmTwA/Taj/IxnGbaJMt2kTs6WLAEfWDh+3turW HkWm6nHvkWs6GGO3DmL4+6rLkFG0dyuRHscFGAZMyAu+rYkHzIoC6IdVZiEqqstc 75jo6aONhBVwOFrmjI/fZcXrgFVD46QszlM6ZSnWQuLKoUsn61IpdZyUQidmsUGY LyTBQg4HnFrW5oQYMAL9vGkBAjREezopxMYMsyRtdOA4soIlXdS5mqhnlzoCsYf3 XJMlIFieW/J8lG/1WzA6uW1MRS/63ChkT/1MJBV3xMVeG15mDBWhZlXsV+BfGJ14 mDT1wa29wSLzUGRQZhjJ/uYhGQpwajIPsBwKhbatYkzKUn/ntYnWDxNKhso8AN6t P6cyseNaiJ1Dk5Jj0fsR5zI= =K4dM -----END PGP PUBLIC KEY BLOCK-----
Adding the public key to Facebook
Now go to Settings -> Security and Login -> Advanced -> Encrypted notification emails.
Once you reach this page, you can copy and paste your public key into the text box.
Check the box that says “Use this public key to encrypt notification emails that Facebook sends you?” Then save changes.
Decrypting the confirmation email and confirming the process
Once you have save changes from the last steps, you will get a maiden voyage email from Facebook confirming the encrypted notification emails are now working correctly by confirming a link.
We can now download the encrypted.asc attachment from the email and decrypt the notification with GPG. Back to the command line to decrypt the .asc file to see our notification. Output the file as an HTML file so you don’t have to read the HTML code in the notification. A browser renders it just fine. Have your secret passphrase you entered while creating the public and secret key ready as it is used during the decryption process.
gpg --output encrypted.html --decrypt encrypted.asc
Open up the outputted html file that was decrypted in a browser by double clicking on the file. You will get this conformation page for you to verify by clicking on a link they specify.
This link will take you back to Facebook and confirm that encrypted email notifications are working. Note that all account recovery emails will be encrypted as well.
Exporting our OpenPGP keys
Since our account recovery emails are encrypted, it has it’s pros and cons. Theoretically, only us will have the private key to decrypt the notification if our email is compromised. Especially a password change process. A decent defense in depth approach. However, that means losing the keys could lock ourselves out completely. To outweigh the drawbacks we can export our public and secret keys to upload to a cloud server or a USB key to store away in a safe. To export the keys, enter the following commands. You will need your secret passphrase to export the private key so have that accessible.
gpg --output public-pgp.key --armor --export <email> gpg --output private-pgp.key --armor --export-secret-key <email>
Obviously, this isn’t for everyone. Most people are not going to be bothered in the steps to configure the encryption. This is mostly geared to encryption advocates, or high profile individuals that having a major Facebook compromise would be a huge liability. It’s work highlighting that this feature is here if this level of security is what you need for your environment.
If command line encrypting and decrypting isn’t your thing or isn’t scalable with a large amount of Facebook notifications there are some decent plugins you can integrate into your email client.